OCSP responder returns Response timestamp error(status expired)


Article ID: 168393


Updated On:


Mobility Threat Protection ProxySG Software - SGOS


The OCSP responder reports that the certificate is expired/invalid but you verify that the certificate is valid.


To confirm that this is the issue, check the PCAP.

PCAP highlighting the issue
In this instance, the nextupdate time has already passed, meaning an update was missed (for whatever reason).


Blue Coat is unable to provide a resolution for this, as this is beyond Blue Coat's control. See below for a workaround.


The workaround is to tell the ProxySG appliance to ignore the setting passed by the OCSP responder, and use the value set in the Device Profile instead.
In the Management Console, select Configuration > SSL > OCSP, select your profile, then click Edit. You will see the Edit OCSP responder dialog.

View of the OCSP profile Edit page on the ProxySG
Change the Response Cache TTL from Use TTL from the OCSP response (the default) to Use TTL:.
Set Use TTL:  1.

Blue Coat has been successful setting this to 1 day; you might need to extend this period slightly.